Privacy Policy

1. Introduction

oneAklan ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service"). This policy applies to our platform that connects buyers with local Micro, Small, and Medium Enterprises (MSMEs) across Western Visayas, Philippines.

2. Information We Collect

2.1 Account Information

When you create an account with oneAklan, we collect:

• Personal Details: Name, email address, and password (encrypted)
• Profile Information: Profile picture, bio, location, and business information
• Authentication Data: Login credentials, two-factor authentication settings, and security preferences
• Social Login Data: When using Google, Apple, or LinkedIn sign-in, we collect basic profile information permitted by those platforms

2.2 Business and Marketplace Data

To facilitate business connections and marketplace activities, we collect:

• Business Profiles: Company name, business type, products/services, location, and contact information
• Marketplace Activity: Product listings, requests, offers, and transaction communications
• Matching Data: Business preferences, industry categories, and connection history
• Content: Messages, reviews, ratings, and user-generated content

2.3 Technical and Usage Data

We automatically collect technical information to provide and improve our Service:

• Device Information: Device type, operating system, unique device identifiers, and app version
• Usage Analytics: Pages viewed, features used, time spent, navigation patterns, and user interactions
• Security Data: Login attempts, security events, IP addresses, and session information
• Location Data: General geographic location for regional content and business matching
• Camera and Storage: Access for profile pictures and business listings (with permission)

2.4 Third-Party Platform Data

We aggregate publicly available information from partner platforms:

• Shopee: Product listings, prices, seller information, and reviews from partnered MSMEs
• TikTok: Public business content, product showcases, and promotional materials
• Social Media: Public business profiles and product information from various platforms

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Core Platform Services

• Account Management: Create, maintain, and secure user accounts with enterprise-grade security
• Authentication: Verify identity, enable two-factor authentication, and manage secure sessions
• Business Matching: Connect buyers with relevant MSMEs based on location, industry, and preferences
• Marketplace Operations: Facilitate product discovery, business communications, and transaction coordination
• Profile Management: Enable users to create, edit, and maintain their business profiles

3.2 Platform Improvement and Analytics

• Usage Analytics: Analyze user behavior to improve app functionality and user experience
• Performance Optimization: Monitor app performance, identify bugs, and enhance stability
• Feature Development: Develop new features based on user needs and usage patterns
• Regional Insights: Generate anonymized reports on MSME activity in Western Visayas

3.3 Security and Compliance

• Security Monitoring: Detect and prevent fraudulent activities, unauthorized access, and security breaches
• Legal Compliance: Meet legal obligations under Philippine data protection and business laws
• Government Reporting: Provide anonymized regional economic data to government partners (DTI, DICT, DOST, DA)
• Audit and Logging: Maintain security logs for compliance and incident investigation

3.4 Communication and Support

• Customer Support: Provide technical assistance and resolve user issues
• Platform Updates: Notify users about new features, policy changes, and important announcements
• Business Communications: Facilitate messaging between buyers and sellers (message content is not monitored)
• Marketing Communications: Send promotional content about platform features (with user consent)

4. Information Sharing and Disclosure

4.1 General Principles

We do not sell, trade, or rent your personal information to third parties. We only share information as described below or with your explicit consent.

4.2 Service Providers and Partners

We may share limited information with trusted service providers who help us operate the platform:

• Cloud Infrastructure: Supabase for secure data storage and authentication services
• Analytics Providers: Anonymized usage data for app performance monitoring
• Security Services: Information necessary for fraud detection and prevention
• Customer Support: Technical support providers (only with user consent)

4.3 Business Connections

To facilitate marketplace activities, we share relevant information between users:

• Public Business Profiles: Business name, description, location, and contact information (as configured by users)
• Marketplace Communications: Messages and requests between buyers and sellers
• Transaction Information: Order details and fulfillment data (when direct transactions are implemented)

4.4 Government and Research Partners

We may share aggregated, anonymized data with:

• Government Agencies: DTI, DICT, DOST, and DA for regional economic development reporting
• Academic Institutions: Anonymized research data for economic studies (with user consent)
• MSME Development Programs: Aggregated business trend data to support local enterprise growth

4.5 Legal Requirements

We may disclose information when required by law or when we believe disclosure is necessary to:

• Comply with legal processes, court orders, or government requests
• Protect our rights, property, or safety, or that of our users
• Prevent fraud, security breaches, or illegal activities
• Support law enforcement investigations (with proper legal authorization)
• Enforce our Terms of Service or other agreements

4.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred to the new entity, subject to the same privacy protections outlined in this policy.

5. Data Security and Protection

We implement comprehensive security measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

5.1 Technical Security Measures

• Data Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Secure Authentication: Multi-factor authentication (2FA) available with TOTP support
• Access Controls: Role-based access controls with principle of least privilege
• Security Headers: Comprehensive HTTP security headers to prevent common attacks
• Input Validation: Advanced input sanitization to prevent XSS and injection attacks

5.2 Account Security Features

• Password Security: Bcrypt hashing with salt for all passwords
• Session Management: Secure session handling with automatic timeout
• Rate Limiting: Protection against brute force attacks (5 attempts, 15-minute lockout)
• CSRF Protection: Cross-site request forgery prevention with secure tokens
• Device Tracking: Monitor and manage active sessions across devices

5.3 Infrastructure Security

• Secure Hosting: Data hosted on Supabase with SOC 2 Type 2 compliance
• Regular Updates: Automatic security patches and dependency updates
• Monitoring: 24/7 security monitoring and incident response
• Backup Systems: Encrypted, geographically distributed backups
• Audit Logging: Comprehensive logs for security events and access attempts

5.4 Employee Access and Training

• Background Checks: Security screening for personnel with data access
• Training Programs: Regular data protection and security awareness training
• Access Reviews: Quarterly reviews of employee access permissions
• Confidentiality Agreements: Legal obligations for all team members

Important Note: While we implement industry-leading security measures, no method of transmission over the internet or electronic storage is 100% secure. We continuously improve our security practices and encourage users to maintain strong, unique passwords and enable two-factor authentication.

6. Third-Party Services and Integration

Our Service integrates with various third-party platforms and services. Each integration is subject to their respective privacy policies:

6.1 Authentication Providers

• Google Sign-In: Subject to Google's Privacy Policy - we only receive basic profile information you authorize
• Apple Sign-In: Subject to Apple's Privacy Policy - minimal data sharing with optional email masking
• LinkedIn: Subject to LinkedIn's Privacy Policy - professional profile information only

6.2 Business Platform Integration

• Shopee: Product listings and public business information (subject to Shopee's Privacy Policy)
• TikTok: Public business content and promotional materials (subject to TikTok's Privacy Policy)
• Other Social Platforms: Public business profiles and product information

6.3 Technical Service Providers

• Supabase: Database and authentication services (subject to Supabase's Privacy Policy)
• Analytics Services: Anonymized app performance and usage analysis
• Cloud Storage: Secure file storage for profile pictures and business documents

Data Sharing Control: When you use social sign-in features, you control what information is shared. We only request the minimum necessary information to create your account and will clearly show you what data will be accessed before you authorize the connection.

Third-Party Responsibility: We are not responsible for the privacy practices of these third-party services. We encourage you to review their privacy policies before using these features.

7. Data Retention and Management

We retain your information only as long as necessary to provide our services and comply with legal obligations:

7.1 Account Data Retention

• Active Accounts: Profile and account data retained while your account remains active
• Inactive Accounts: Accounts inactive for 2+ years may be flagged for review and potential deletion
• Security Logs: Authentication and security events retained for 2 years for security monitoring
• Support Records: Customer support interactions retained for 1 year for service improvement

7.2 Business Data Retention

• Business Profiles: Retained while business account is active and for 1 year after deactivation
• Marketplace Content: Product listings and business communications retained according to legal requirements
• Transaction Records: Order history and payment records retained for 7 years (Philippine tax requirements)
• Analytics Data: Anonymized usage data retained indefinitely for research and platform improvement

7.3 Automatic Data Cleanup

• Temporary Files: Profile picture uploads and temporary data cleaned up automatically
• Expired Sessions: Authentication sessions and temporary tokens expired and cleaned regularly
• Failed Uploads: Incomplete uploads and temporary data removed within 24 hours
• Rate Limiting Data: Temporary rate limiting records cleared after lockout periods

7.4 Legal and Compliance Requirements

Some data may be retained longer when required by:

• Philippine Data Privacy Act obligations
• Business and tax record requirements
• Ongoing legal proceedings or investigations
• Government reporting and compliance needs

8. Your Rights and Choices

You have comprehensive rights regarding your personal information under Philippine law and our platform policies:

8.1 Access and Information Rights

• Access Your Data: Request a copy of all personal information we have about you
• Data Portability: Download your account data in a machine-readable format
• Processing Information: Learn how your data is used, stored, and shared
• Data Sources: Understand where we obtained your information

8.2 Control and Correction Rights

• Update Profile: Edit your profile information through Profile > Edit Profile
• Correct Inaccuracies: Request correction of any incorrect personal information
• Privacy Settings: Control profile visibility and information sharing through Profile > Security
• Communication Preferences: Manage notification and marketing email preferences

8.3 Deletion and Restriction Rights

• Account Deletion: Permanently delete your account and associated data (see Section 9 for detailed instructions)
• Selective Deletion: Request deletion of specific information or content
• Processing Restrictions: Request limits on how we process your data
• Objection Rights: Object to certain types of data processing activities

8.4 Security and Consent Rights

• Withdraw Consent: Revoke consent for data processing where consent is the legal basis
• Security Notifications: Receive alerts about unusual account activity
• Two-Factor Authentication: Enable/disable enhanced security features
• Session Management: View and terminate active sessions on other devices

8.5 Legal and Regulatory Rights

• File Complaints: Report privacy concerns to the National Privacy Commission
• Legal Representation: Seek legal remedy for privacy violations
• Regulatory Contact: Directly contact Philippine data protection authorities
• Dispute Resolution: Access our internal privacy dispute resolution process

8.6 How to Exercise Your Rights

To exercise any of these rights:

• Use in-app settings for immediate changes (Profile > Security, Profile > Edit Profile)
• Contact our Data Protection Officer at selahstudioph@gmail.com
• Send detailed requests with proper identification
• Allow up to 30 days for complex requests as required by Philippine law

9. Account Deletion and Data Removal

Important: Account deletion is permanent and cannot be undone. This section provides comprehensive instructions for account deletion as required by Apple App Store and Google Play Store policies. Please ensure you have downloaded any important data before proceeding.

9.1 In-App Account Deletion (Recommended Method)

9.2 Email Account Deletion Request (Alternative Method)

9.3 Comprehensive Data Deletion Scope

9.4 Critical Deletion Warnings and Consequences

9.5 Alternatives to Account Deletion

9.6 Post-Deletion Process and Support

9.7 Special Deletion Scenarios

9.8 App Store Compliance Statement

10. Regional Compliance and Legal Framework

As a platform focused on Western Visayas and operating in the Philippines, we comply with all applicable data protection and business laws:

10.1 Philippine Data Protection Compliance

• Republic Act No. 10173 (Data Privacy Act of 2012): Full compliance with data processing, storage, and user rights
• National Privacy Commission (NPC) Regulations: Regular compliance audits and reporting
• Implementing Rules and Regulations (IRR): Adherence to detailed privacy implementation guidelines
• Data Protection Officer (DPO): Designated DPO for privacy compliance and user rights

10.2 Business and Industry Compliance

• Department of Trade and Industry (DTI): Compliance with e-commerce and consumer protection guidelines
• Department of Information and Communications Technology (DICT): Cybersecurity and digital platform standards
• Bangko Sentral ng Pilipinas (BSP): Financial data protection for payment processing
• Bureau of Internal Revenue (BIR): Tax record retention and business documentation requirements

10.3 Regional Government Partnerships

• Western Visayas Regional Development Council: Economic development data sharing agreements
• Department of Science and Technology (DOST): Innovation and technology development partnerships
• Department of Agriculture (DA): Agricultural MSME development programs
• Local Government Units (LGUs): Municipal and provincial business development initiatives

10.4 International Standards

While primarily operating under Philippine law, we also consider international best practices:

• ISO 27001: Information security management standards
• SOC 2 Type 2: Security and availability controls through our infrastructure partners
• GDPR Principles: Privacy by design and data minimization practices
• APEC Privacy Framework: Asia-Pacific regional privacy guidelines

11. Children's Privacy and Age Requirements

11.1 Age Restrictions

oneAklan is designed for business and commercial use and has the following age requirements:

• Minimum Age: 18 years old for business account creation
• Restricted Age: Users aged 13-17 may browse with parental consent but cannot create business accounts
• Prohibited: Children under 13 are not permitted to use our Service

11.2 Child Privacy Protection

• No Intentional Collection: We do not knowingly collect personal information from children under 13
• Immediate Deletion: If we discover we have collected information from a child under 13, we will delete it immediately
• Parental Rights: Parents can request deletion of their child's information by contacting us
• Age Verification: Business registration requires age confirmation and identification

11.3 Reporting and Parental Concerns

If you believe a child under 13 has created an account or provided personal information:

• Contact us immediately at selahstudioph@gmail.com
• Subject Line: "Child Privacy Concern - oneAklan"
• Provide details about the suspected underage account
• We will investigate and take appropriate action within 24 hours

12. International Data Transfers and Cross-Border Data Flow

12.1 Data Location and Transfers

Your information may be transferred to and processed in countries other than the Philippines:

• Primary Storage: Data primarily stored in Singapore and US data centers (Supabase infrastructure)
• Backup Systems: Encrypted backups may be stored across multiple jurisdictions
• Service Providers: Some service providers may process data in their home countries
• Emergency Access: Technical support teams may access data from various locations

12.2 Transfer Safeguards

When transferring data internationally, we ensure appropriate safeguards:

• Adequacy Decisions: Transfers to countries with adequate data protection laws
• Standard Contractual Clauses: Legal agreements requiring equivalent protection
• Certification Programs: Service providers with recognized privacy certifications
• Encryption Requirements: All international transfers use end-to-end encryption

12.3 Data Subject Rights Across Borders

Your privacy rights under Philippine law remain protected regardless of where your data is processed:

• Right to access your data wherever it's stored
• Right to correction and deletion across all systems
• Right to file complaints with Philippine authorities
• Right to request data localization in specific circumstances

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations.

13.1 Notification of Changes

We will notify you of material changes through:

• In-App Notifications: Prominent notices within the oneAklan app
• Email Alerts: Direct notifications to your registered email address
• Website Updates: Updated policy posted on our website with change highlights
• Push Notifications: Important privacy changes via mobile push notifications

13.2 Notice Periods

• Major Changes: 30 days advance notice for significant privacy policy changes
• Minor Updates: 7 days notice for clarifications and non-material changes
• Legal Requirements: Immediate updates when required by law with retroactive notification
• Emergency Changes: Immediate notification for security-related policy updates

13.3 Your Options When Policies Change

• Review Period: Time to review changes before they take effect
• Continued Use: Using the Service after changes indicates acceptance
• Account Deletion: Option to delete your account if you disagree with changes
• Contact Us: Opportunity to ask questions or raise concerns about changes

13.4 Change Documentation

We maintain transparency about policy changes by:

• Highlighting specific changes in update notifications
• Maintaining a version history of policy changes
• Providing plain-language summaries of complex changes
• Offering clarification sessions for significant updates

Current Version: This privacy policy was last updated on August 6, 2025, and is effective immediately for all new users and 30 days from this date for existing users.

14. Contact Information and Support

We are committed to addressing your privacy concerns and questions promptly. Multiple contact options are available depending on your needs:

14.1 What to Include in Your Privacy Inquiry

14.2 Philippine Regulatory Contacts

Our Response Commitment: We will respond to all privacy-related inquiries within the timeframes specified above, as required by Philippine data protection laws. For complex requests requiring investigation or legal review, we may need up to 30 days and will keep you informed of our progress.

Language Support: We provide support in English and Filipino. For assistance in other languages, please mention your preferred language in your inquiry, and we will do our best to accommodate your request.

14. Acknowledgment

By using oneAklan, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. This policy is effective as of the date listed above and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.